Ascension St. Vincent’s Coastal Cardiology

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

In August 2022, Ascension St. Vincent’s Coastal Cardiology in Brunswick, Georgia, experienced a significant healthcare data breach affecting its legacy systems. This incident impacted 71,227 individuals, with the breach involving the encryption of some information by ransomware. The breach specifically targeted the legacy electronic medical record (EMR) system of the recently acquired Ascension St. Vincent’s Coastal Cardiology, leaving the current networks and systems, including the active EMR, unaffected[1][5].

The compromised legacy system contained a wide range of personal and health information related to visits at Coastal Cardiology prior to October 5, 2021. This included demographic details (name, address, email address, phone number, insurance information), as well as potentially sensitive data such as Social Security numbers (if provided), clinical information, and billing and insurance details[1][3]. Despite the encryption of data by the attackers, Ascension St. Vincent’s Coastal Cardiology has stated that it does not believe any information was removed from the systems or misused[3][6].

In response to the breach, Ascension St. Vincent’s Coastal Cardiology took immediate steps to secure the legacy network and initiated a comprehensive investigation with the assistance of a third-party forensic team. They also notified law enforcement and have been cooperating with their investigation. To mitigate the risk of identity theft and fraud for affected individuals, the organization offered a complimentary two-year membership of Experian’s IdentityWorks, a service providing identity detection and resolution of identity theft[3][5].

Furthermore, a class action lawsuit has been filed against Coastal Cardiology P.C., alleging failure to adequately protect patient information from a foreseeable cyberattack and criticizing the timeliness of the breach notification to victims. The lawsuit seeks to represent all individuals whose personal information was compromised as a result of the breach[4].

This incident is part of a broader trend of increasing cyberattacks and data breaches within the healthcare sector, highlighting the critical importance of robust cybersecurity measures and prompt incident response strategies to protect sensitive patient information[2].

Citations:

  1. https://healthitsecurity.com/news/healthcare-data-breach-at-ga-cardiology-practice-impacts-71k
  2. https://www.hipaajournal.com/october-2022-healthcare-data-breach-report/
  3. https://www.mass.gov/doc/assigned-data-breach-number-28421-ascension-st-vincents-coastal-cardiology/download
  4. https://www.classaction.org/news/class-action-claims-ascension-st.-vincents-coastal-cardiology-failed-to-prevent-data-breach-affecting-over-70k-patients
  5. https://www.jdsupra.com/legalnews/ascension-st-vincent-s-coastal-6277323/
  6. https://www.scmagazine.com/analysis/ransomware-attack-on-ascension-st-vincents-legacy-emr-spurs-breach-notice
  7. https://www.beckershospitalreview.com/cybersecurity/ascension-st-vincent-legacy-ehr-system-hit-by-ransomware-attack.html
  8. https://www.linkedin.com/posts/amir-sternhell-91656a_healthcare-data-breach-at-ga-cardiology-practice-activity-7000470639740362753-Fyzz?trk=public_profile_like_view
  9. https://www.beckershospitalreview.com/cybersecurity/ascension-st-vincent-legacy-ehr-system-hit-by-ransomware-attack?utm_campaign=bhr&utm_content=related&utm_source=website
Breach Submission Date Oct 14, 2022
Converted Entity Name Ascension St. Vincent’s Coastal Cardiology
Converted Entity Type Healthcare Provider
State GA
Individuals Affected 71,227
Breach Type Hacking/IT Incident

Breach Information Location Network Server

Business Associate Present Yes